Channels - using SSL with reverse proxy behind Apache. Does Daphne need to support SSL and WSS?
1,528 views
Skip to first unread message
generat...@gmail.com
May 8, 2017, 3:15:35 PM5/8/17
to Django users
Hi, I'm running Django Channels with Daphne behind Apache using reverse proxy. Everything is working non-SSL and here's my Apache virtualhost conf
Now I want to implement SSL. I've got this virtualhost onf for port 443 which I'm sure is setup incorrectly
I'm launching Daphne and the works from supervisord
For normal Django webpage browsing, SSL is working and I get the browser SSL padlock. Now I'm trying to configure my external websockets to also use SSL.
My questions are:
1) Since I'm using Apache "out front" do I need to use SSL on Dahne (with Twisted) when launching it like referred to here? Or is Apache handling all the SSL and Daphne will just see non-SSL traffic (both for web browsing and websocket traffic)?
https://github.com/django/daphne
2) Also, for websocket SSL to work do my external webockets need to connect to the URL wss://aaa.bbb.com ? Or does ws://aaa.bbb.com also work? Currently when I configure my external websockets to connect to aaa.bbb.com:80 with URL ws: it works, but when I also connect to aaa.bbb.com:443 with URL ws: that also works. Connecting to any port as wss: does not work
TIA
<VirtualHost x.x.x.x:80>
SuexecUserGroup "#1029" "#1029"
ServerName aaa.bbb.com
ServerAlias www.aaa.bbb.com
ErrorLog /var/log/virtualmin/aaa.bbb.com_error_log
CustomLog /var/log/virtualmin/aaa.bbb.com_access_log combined
DirectoryIndex index.html index.htm index.php index.php4 index.php5
ProxyPreserveHost On
ProxyPass /public/static !
ProxyPass "/ws/" "ws://127.0.0.1:8000/"
ProxyPass "/wss/" "wss://127.0.0.1:8000/"
ProxyPassReverse "/ws/" "ws://127.0.0.1:8000/"
ProxyPassReverse "/wss/" "wss://127.0.0.1:8000/"
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
Alias /public/static /home/wsock/wsock_system/interface/public/static
<Directory /home/wsock/wsock_system/interface/public/static>
Require all granted
</Directory>
</VirtualHost>Now I want to implement SSL. I've got this virtualhost onf for port 443 which I'm sure is setup incorrectly
<VirtualHost x.x.x.x:443>
SuexecUserGroup "#1029" "#1029"
ServerName aaa.bbb.com
ServerAlias www.aaa.bbb.com
ErrorLog /var/log/virtualmin/aaa.bbb.com_error_log
CustomLog /var/log/virtualmin/aaa.bbb.com_access_log combined
DirectoryIndex index.html index.htm index.php index.php4 index.php5
ProxyPreserveHost On
ProxyPass /public/static !
ProxyPass "/ws/" "ws://127.0.0.1:8000/"
ProxyPassReverse "/ws/" "ws://127.0.0.1:8000/"
SSLProxyEngine on
ProxyPass "/wss/" "wss://127.0.0.1:8000/"
ProxyPassReverse "/wss/" "wss://127.0.0.1:8000/"
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
SSLEngine on
SSLCertificateFile /home/wsock/ssl.cert
SSLCertificateKeyFile /home/wsock/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Alias /public/static /home/wsock/wsock_system/interface/public/static
<Directory /home/wsock/wsock_system/interface/public/static>
Require all granted
</Directory>
</VirtualHost>
I'm launching Daphne and the works from supervisord
[program:server_interface]
command=/home/wsock/wsock_system/interface//home/wsock/wsock_system/interface/
directory=/home/wsock/wsock_system/interface
redirect_stderr=false
stderr_logfile=/home/wsock/wsock_system/interface/
stdout_logfile=/home/wsock/wsock_system/interface/
autostart=true
autorestart=true
stopasgroup=true
user=wsock
~ For normal Django webpage browsing, SSL is working and I get the browser SSL padlock. Now I'm trying to configure my external websockets to also use SSL.
My questions are:
1) Since I'm using Apache "out front" do I need to use SSL on Dahne (with Twisted) when launching it like referred to here? Or is Apache handling all the SSL and Daphne will just see non-SSL traffic (both for web browsing and websocket traffic)?
https://github.com/django/daphne
2) Also, for websocket SSL to work do my external webockets need to connect to the URL wss://aaa.bbb.com ? Or does ws://aaa.bbb.com also work? Currently when I configure my external websockets to connect to aaa.bbb.com:80 with URL ws: it works, but when I also connect to aaa.bbb.com:443 with URL ws: that also works. Connecting to any port as wss: does not work
TIA
Andrew Godwin
May 8, 2017, 6:51:43 PM5/8/17
to django...@googlegroups.com
Hi,
First, to proxy WebSockets, you have to use mod_proxy_wstunnel - the build-in mod_proxy does not understand the headers that allow WebSocket upgrades and will generally make it fail.
Once you have that, you do not need to configure Daphne to terminate SSL because Apache is doing it for you - it will forward all traffic to Daphne unencrypted.
For URLs, you will have to use "wss://aaa.bbb.ccc:443". If it works with "ws:" only, that means SSL termination is not working and everything is unsecured.
Andrew
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/8146b5c4-f45d-4f38-a1b8-87af717af069%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages